marc:linux:aws:solutionsarchitect
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| marc:linux:aws:solutionsarchitect [2023/02/21 10:16] – marcv | marc:linux:aws:solutionsarchitect [2023/03/02 11:20] (current) – [S3 Characteristics] marcv | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ~~stoggle_openDIV~~ | + | --- // |
| ====== AWS Certified Solutions Architect ====== | ====== AWS Certified Solutions Architect ====== | ||
| Line 7: | Line 7: | ||
| :!: The default region is **US-East-1**. This is also the region where new services will be deployed first! Also when creating services like EC2 or S3, these are created within the region that you are in at the moment of creating! | :!: The default region is **US-East-1**. This is also the region where new services will be deployed first! Also when creating services like EC2 or S3, these are created within the region that you are in at the moment of creating! | ||
| - | ~~stoggle_closeDIV~~ | + | |
| ===== Well-Architected Framework ===== | ===== Well-Architected Framework ===== | ||
| There are 6 pillars of the well-architected framework: | There are 6 pillars of the well-architected framework: | ||
| Line 188: | Line 188: | ||
| {{: | {{: | ||
| + | |||
| + | :!: An explicit deny will always override an allow! Reference Documentation: | ||
| ==== IAM Building Blocks ==== | ==== IAM Building Blocks ==== | ||
| - | - Users: a physical person | + | - **Users**: a physical person |
| - | - Groups: Functions, such as administrators, | + | - **Groups**: Functions, such as administrators, |
| - | - Roles: Internal usage within AWS, allows 1 part of AWS to access another part of AWS (i.e. an S3 bucket that needs to be available to an EC2 instance) | + | - **Roles**: Internal usage within AWS, allows 1 part of AWS to access another part of AWS (i.e. an S3 bucket that needs to be available to an EC2 instance) |
| ==== Creating a User ==== | ==== Creating a User ==== | ||
| Line 229: | Line 231: | ||
| - SAML; your Windows AD (Active Directory) server. You need to create a trust between your AWS account and Active Directory Federation Services or | - SAML; your Windows AD (Active Directory) server. You need to create a trust between your AWS account and Active Directory Federation Services or | ||
| - OpenID Connect | - OpenID Connect | ||
| + | |||
| + | |||
| + | ==== Steps to secure your AWS root account ==== | ||
| + | |||
| + | - Enable multi-factor authentication (MFA)on the root account | ||
| + | - Create an admin group for you administrators and assign the appropriate permissions to this group | ||
| + | - Create user accounts for your administrators (and power users) | ||
| + | - Add your users to the admin (and power user) group. | ||
| + | |||
| + | :!: The reason I mention power users here is that they can anything accept IAM. They might be called functional admins. | ||
| + | |||
| ==== IAM Exam tips ==== | ==== IAM Exam tips ==== | ||
| + | * IAM is Universal; it does not apply to regions. | ||
| + | * The root account is created on first setting up AWS and it has complete admin access. Secure it as soon as possible and **do not** use it to log in day to day. | ||
| + | * New Users: no permissions when created | ||
| * Assign permission using IAM Policy Documents consisting of JSON (JavaScript Object Notation) | * Assign permission using IAM Policy Documents consisting of JSON (JavaScript Object Notation) | ||
| * Assign policy documents to groups when possible | * Assign policy documents to groups when possible | ||
| Line 236: | Line 252: | ||
| * Following the principle of least privilege, a newly created user does **NOT** have **ANY permissions** if not assigned by an administrator | * Following the principle of least privilege, a newly created user does **NOT** have **ANY permissions** if not assigned by an administrator | ||
| * **Access Key ID** and **Secret Access Key** can only be viewed **upon creation** so be sure to store them in a safe place | * **Access Key ID** and **Secret Access Key** can only be viewed **upon creation** so be sure to store them in a safe place | ||
| + | * Do **not** use the root account for anything other than managing permissions. Create a user within a admin group to assign permission etc | ||
| + | * The only difference between root user and a user with full admin permissions is that an admin user cannot delete a root user. The root user can delete all users. | ||
| + | * Access key ID and secret keys are not the same as usernames and passwords. They are used for programmatic and API access | ||
| + | * You only get to view keys once! | ||
| + | * Set up password rotations. You can create your own policies | ||
| + | * IAM Federation: Combine existing account with AWS using SAML with Active Directory setting up a trust, or use OpenID | ||
| + | * An explicit deny will always override an allow! Reference Documentation: | ||
| + | |||
| + | ===== S3 (Simple Storage Service) ===== | ||
| + | |||
| + | * S3 provides **Object** storage in a secure, durable, highly scalable way. | ||
| + | * Upload any file type you can think of to S3 | ||
| + | * Examples include photos, videos, code, documents etc | ||
| + | * Can **NOT** be used to run operating systems or databases | ||
| + | * It allows you to store and retrieve **any amount of data from anywhere** on the web at a very low cost. | ||
| + | * Amazon S3 is easy to use with a simple web service interface | ||
| + | |||
| + | |||
| + | ==== S3 Basics ==== | ||
| + | |||
| + | * Unlimited Storage" | ||
| + | * Objects up to 5TB in size | ||
| + | * Objects are stored in S3 Buckets (similar to directories) | ||
| + | * S3 buckets need to be uniquely named: all AWS accounts share the S3 namespace so each S3 Bucket name is **globally unique** | ||
| + | * Example S3 URLS: | ||
| + | - https:// | ||
| + | - https:// | ||
| + | * Uploading files; when you upload a file to an S3 bucket you will receive an **HTTP 200** code if successful | ||
| + | * An S3 Object consists of: | ||
| + | * **Key**; the name of the object (picture.jpg) | ||
| + | * **Value**: The data itself which is made up of a sequence of bytes | ||
| + | * **Version ID**: Important for storing multiple versions of the same object | ||
| + | * **Metadata**: | ||
| + | * S3 is a safe place to store your files; the data is spread across **multiple devices and facilities** to ensure **availability** and ** durability** | ||
| + | * Availability: | ||
| + | * Durability: 99.999999999% (9 decimal places) **durability** for data stored in S3 (meaning data will be stored safely) | ||
| + | |||
| + | ==== S3 Characteristics ==== | ||
| + | |||
| + | * Tiered Storage: S3 offers a range of storage classes designed for different use cases | ||
| + | * Lifecycle Management: Define rules to automatically transition objects to a cheaper storage tier or delete objects that are no longer required after a set period of time | ||
| + | * Versioning: with versioning, all versions of an object are stored and can be retrieved, **including deleted objects** | ||
| + | * Securing your data: | ||
| + | - Server-Side Encryption: You can set default encryption on a bucket to encrypt all **new** objects when they are stored in the bucket | ||
| + | - Access Control Lists (ACLs): define which AWS accounts or groups are granted access **AND** the type of access. You can attach S3 ACLs **only to individual objects within a bucket!** | ||
| + | - Bucket Policies: S3 bucket policies specify what actions are allowed or denied, e.g. allow user Alice to **PUT** but not **DELETE** objects in the bucket. These buckets are (like IAM policies) written in JSON and attached to buckets. They function on the **whole bucket!** For finer grained permissions you use the ACLs | ||
| + | - Strong Read-After-Write Consistency: | ||
| + | - After a successful write of a new object (PUT) or an overwrite of an existing object, any subsequent read request immediately receives the latest version of the object | ||
| + | - Strong consistency for list operations, so after a write you can immediately perform a listing of the objects in a bucket with all changes reflected | ||
| + | |||
| + | |||
| + | ==== Object Policies vs ACLs ==== | ||
| + | |||
| + | Object policies are given on the **bucket level**; all objects in the buckets get the same Object Policy and its permissions | ||
| + | |||
| + | ACLs are given on *individual objects**. Giving an ACL on 1 object in a bucket does not affect the other object in the same bucket. | ||
| + | |||
| + | :!: To make objects publically available, you need to configure both Object Policies and ACL on each object! | ||
| + | |||
| + | ==== S3 Tiers ==== | ||
| + | |||
| + | * S3 Standard: | ||
| + | * High Availability and Durability: | ||
| + | * Data is stored redundantly across multiple devices in multiple facilities (>=3 AZ's) | ||
| + | * 99.99% availability | ||
| + | * 99.999999999% durability (11 9's) | ||
| + | * Designed for Frequent Access; perfect for frequently accessed data | ||
| + | * Suitable for most workloads: | ||
| + | * The default storage class | ||
| + | * Use cases include websites, content distribution, | ||
| + | |||
| + | |||
| + | |||
| + | ==== S3 Exam tips ==== | ||
| - | ===== testing ===== | + | * S3 is object based which allows you to upload files |
| - | test | + | * Files up to 5Tb |
| + | * Not OS or DB storage | ||
| + | * Unlimited storage | ||
| + | * S3 is a Universal Namespace! | ||
| + | * Successful CLI or API uploads generate an HTTP 200 status code | ||
| + | * S3 objects consist of | ||
| + | - KEY (object name) | ||
| + | - VALUE (data itself) | ||
| + | - Version ID | ||
| + | - Meta data | ||
marc/linux/aws/solutionsarchitect.1676970980.txt.gz · Last modified: (external edit)
